Create a user and grant permissions for an OceanBase cluster instance

Background information

OceanBase cluster instances support standard accounts and super accounts. When you use Data Transmission Service to migrate data from an OceanBase cluster instance:

• If you use a standard account, you must grant permissions as described in this topic.

• If you use a super account, it has read and write permissions on all databases by default.

The standard account created in this topic is used for the Username field when you create an OceanBase data source.

To migrate tables without unique keys, you must also create a __OCEANBASE_INNER_DRC_USER user with read-only permissions before you start the data migration task. The password for this user is required in the __OCEANBASE_INNER_DRC_USER Password field when you create an OceanBase data source.

Create a standard account for the cluster instance

1. Go to the Cluster Instance Workbench page.

   1. Log on to the OceanBase Management Console .

   2. In the upper-left corner of the console page, select the region where the target instance is located.

   3. In the navigation pane on the left, click Instance List, and then click the name of the target instance.

2. Go to the Account Management page.

   1. On the Cluster Instance Workbench page, click Tenant Management in the navigation pane on the left.

   2. On the Tenant List page, click the name of the target tenant that has a Tenant Mode of Oracle.

      

   3. On the Tenant Workbench page, click Account Management in the navigation pane on the left.

3. On the Account Management page, click Create Account in the upper-right corner.

   

4. In the Create Account dialog box, configure the parameters.

   

   Parameter	Description
   Username	Must start with a letter and end with a letter or digit. It can contain letters, digits, and underscores (_). The length cannot exceed 32 characters.
   Account Type	Select Standard Account. This account can be granted permissions to perform operations on authorized databases. For more information about permissions, see Account permissions for Oracle tenants.
   Password	The password must be 10 to 32 characters long and contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters. Special characters include !@#$%^&*()_+-=. You can also click Randomly Generate to automatically fill in a password. Note You can click Copy Password to copy the password and store it in a safe place.
   Remarks (Optional)	Enter remarks for the account.

5. Click OK.

Manage access objects

Follow these steps to grant the standard account access to the required tables. Grant permissions based on the requirements described in the following sections.

1. Go to the Account Management page for the Oracle tenant.

2. In the row of the target standard account, click Manage Access Objects.

   

3. In the Manage Access Objects dialog box, click Add Object in the upper-right corner.

   

4. In the Add Object dialog box, configure the parameters.

   

   Parameter	Description
   Add Method	You can add objects using the Specify Object or Import Object method.
   Select Object	If you select Specify Object, select the table objects to which you want to grant permissions from the Source Object list on the left. Then, click > to add them to the list on the right. If you select Import Object, paste the table objects to which you want to grant permissions into the input box. Use the username.objectname format. Separate multiple objects with commas (,).
   Grant Permission	Permissions include Read-only and Read/Write. Grant permissions as needed.

5. Click OK.

Permissions for a standard account of a source cluster instance

The following table describes the minimum permissions required for a standard account of an OceanBase cluster instance (in Oracle tenant mode) when it is used as a source. The permissions are listed by data migration stage.

Permissions for a standard account of a destination cluster instance

The following table describes the minimum permissions required for a standard account of an OceanBase cluster instance (in Oracle tenant mode) when it is used as a destination. The permissions are listed by data migration stage.

Create and authorize the __OCEANBASE_INNER_DRC_USER user

1. Go to the Tenant Workbench page in the OceanBase Management Console.

2. On the Tenant Workbench page, click Log on to Database in the upper-right corner.

   

3. In the Select Database Account dialog box, enter or select the name of the database that you want to log on to from the drop-down list, and then click OK.

4. In the Please enter the connection password dialog box, enter the password for the database account, and then click OK.

5. After you log on to the database, execute the following command to create the __OCEANBASE_INNER_DRC_USER user.

   CREATE USER '__OCEANBASE_INNER_DRC_USER' IDENTIFIED BY <YOUR_PASSWORD>>;

6. After the user is created, execute the following commands to grant permissions to the user.

   GRANT CREATE SESSION TO '__OCEANBASE_INNER_DRC_USER';
   GRANT SELECT ANY DICTIONARY TO '__OCEANBASE_INNER_DRC_USER';

   You can grant the SELECT permission on the tables to be migrated in one of the following two ways.

   // Grant system permissions
   GRANT SELECT ANY TABLE TO '__OCEANBASE_INNER_DRC_USER';
   // Grant object permissions (Only specific database and table objects are supported)
   GRANT SELECT ON <schema>.<table> TO '__OCEANBASE_INNER_DRC_USER';